- fix security bug lp:1025185

- make network access optional for XML loading

Fixed bugs:
  - https://launchpad.net/bugs/1025185

(bzr r11931)

1 files changed, 8 insertions, 2 deletions

diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
index 174f361fd..c7bff185c 100644
--- a/src/ui/dialog/ocaldialogs.cpp
+++ b/src/ui/dialog/ocaldialogs.cpp
@@ -1112,8 +1112,14 @@ void ImportDialog::on_xml_file_read(const Glib::RefPtr<Gio::AsyncResult>& result
     xmlDoc *doc = NULL;
     xmlNode *root_element = NULL;
 
-    doc = xmlReadMemory(data, (int) length, xml_uri.c_str(), NULL,
-            XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
+    int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR;  // do not use XML_PARSE_NOENT ! see bug lp:1025185
+    Inkscape::Preferences *prefs = Inkscape::Preferences::get();
+    bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
+    if (!allowNetAccess) {
+        parse_options |= XML_PARSE_NONET;
+    }
+
+    doc = xmlReadMemory(data, (int) length, xml_uri.c_str(), NULL, parse_options);
         
     if (doc == NULL) {
         // If nothing is returned, no results could be found